Catching Up With The ‘EITest’ Compromise, A Year Later

We are seeing dozens of WordPress sites compromised recently with the same malicious code redirecting to the Angler exploit kit.

The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page. It is important to stress this is a conditional injection because webmasters trying to identify the issue may not see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit).

In the last few days, we saw some popular blogs being impacted, including blogs.independent.co.uk the blog for UK’s newspaper The Independent.

WordPress compromises

The rogue code loads a Flash video file from a suspicious top-level domain name such as .ga, .tk or .ml which is used to redirect visitors to the Angler exploit kit. This is the same attack pattern we documented over a year ago (Exposing the Flash ‘EITest’ malware campaign).

It’s quite likely these compromises are happening through known vulnerabilities in either WordPress or one of its plugins. According to SiteCheck from web security company Sucuri, The Independent‘s blog was running an old version of WordPress (2.9.2). The latest WordPress version is 4.3.1.

This particular ‘EITest campaign’ never actually stopped and saw an increase in the last few months which has been sustained up until now.

Angler EK

Angler EK exploits Flash Player up until version 19.0.0.207, which was patched by Adobe on October 16.

Malwarebytes Anti-Exploit blocks this attack thanks to its proactive exploit mitigation. Unprotected users would have been infected with the Tinba banking Trojan.

We informed The Independent about this compromise but have not heard back from them. If you are a site owner, remember to always keep your website and its CMS up to date. It’s also important to use proper passwords and harden the infrastructure as much as you can to reduce the surface of attack.

If your WordPress site has been affected, keep in mind that the malicious injected code is just part of the symptoms from having your site hacked. It’s important to identify backdoors, .htaccess modifications as well as the original entry point, by looking at your access and error logs.

July 15, 2016 - The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Angler's continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.

June 17, 2016 - For those tracking exploit kits, the disappearance of the Angler exploit kit last week was a major event. While a lot of questions remain, several clues pointed out that this was no ordinary break, and that something deeper was likely going on. After about ten days without Angler EK, we take a look at the exploit kit landscape.

May 25, 2016 - A well known malvertising gang famous for its use of the fingerprinting technique and other evasion tricks to bypass security checks has been ramping up its activity against many different ad platforms to push malware via top websites. The setup for these malvertising attacks relies on a combination of techniques that start with the fraudulent advertiser choosing a victim, typically a legitimate website in the retail, or legal business.